In the World of the High Tech Redneck, the Graybeard is the old guy who earned his gray by making all the mistakes, and then tries to keep the young 'uns from repeating them. Silicon Graybeard is my term for an old hardware engineer; a circuit designer. Here are mental droppings from a newly retired radio engineer running from tech news to economics; from firearms to the world at large; from radio to home machine shops and making all kinds of stuff.

Saturday, May 6, 2017

Got an Android Phone? Ultrasonic Tracking is Growing

In November of '15, I reported on a story about how advertisers were embedding ultrasonic tones, 18 to 20 kHz, in TV ads and using it for a whole new level of user tracking. These tones are beyond normal human hearing, but within the bandwidth of most phones' audio paths.

These sounds, above the range of human hearing, are embedded into TV commercials or are played
when a user encounters an ad displayed in a computer browser. While you can't hear the
sound, nearby tablets and smartphones
can detect it. When they do, browser cookies can now pair a single user
to multiple devices and keep track of what TV commercials the person
sees, how long the person watches the ads, and whether the person acts
on the ads by doing a Web search or buying a product. Of course, they also know the location of all those appliances, too.

While I don't see how they could know "how long a person watches the ads" - you could leave your phone in the room with the TV or computer and be somewhere else. I could see, though, that if your phone shows you were exposed to a TV ad for something and some time later did a web search on that subject, they might conclude you saw it and were influenced by it.

In that article, I wrote about industry-leader SilverPush, a rapidly growing (50% per quarter) Indian software company. Under pressure from the Federal Trade Commission, they promised in March of '16 that they were going to kill off their product, a Software Development Kit (SDK) that allows others to write software that does the tracking and correlating. Yesterday, ARS Technica reported the use of their SDK seems more widespread than ever.

As of January, there were 234 Android apps that were created using SilverPush's publicly available software developer kit, according to the paper,
[pdf warning] which was published by researchers from Technische Universitat
Braunschweig in Germany. That represents a dramatic increase in the
number of Android apps known to use the creepy audio tracking scheme. In
April 2015, there were only five such apps.
...
A representative sample of just five of the 234 apps have been downloaded from 2.25 million to 11.1 million times, according to the researchers, citing official Google Play figures. None of them discloses the tracking capabilities in their privacy policies.

SilverPush is denying everything. Founder Hitesh Chawla said his company abandoned the ad-tracking business in late 2015.

"We respect consumer privacy and would not want to build our business
foundation where the privacy is questionable," he told Ars. "Even when
we were live, our SDK was not present in more than 10 to 12 apps. So
there is no chance that our presence in 234 apps is possible. Every time
a new handset gets activated with our SDK, we get a ping on our server.
We have not received any activation for six months now."

In a case like this, I trust the German researchers over the software company. The team that did the research says all 234 apps positively contain the SilverPush SDK. That means phones that have the apps installed are silently listening
for ultrasonic sounds without the knowledge or consent of their owners. On the other hand, the researchers were unable to find any ultrasonic beacons in TV audio, although they thought their tests were too limited in time and scope to really know. For their part Google said everything in the Google Play store had to meet their requirements for developers to "comprehensively disclose how an app collects, uses and
shares user data, including the types of parties with whom it's shared." They never answered the question (from ARS) asking why
none of five apps cited in the research findings disclosed the
SilverPush functions. As of yesterday, when the ARS published the story, those apps were still in the store.

There are uses for this technology that are considered ethical. Marketers can track the whereabouts of shoppers as they move throughout a
large department store. Promoters using other companies' audio-beacon
technologies can also use them to push ads or coupons to people who are
near a certain store or service. The researchers said two
services—Shopkick and Lisnr—use ultrasonic beaconing for legitimate
purposes such as these, and they disclose the tracking prominently.

(Graphic from the Technische Universitat
Braunschweig pdf)
There are some other possible uses that are considered rather less ethical. Note in particular the last sentence here:

Advertisers, for example, may use the beacons with no
disclosure at all to measure how often a particular TV ad is viewed. The
technology can also be covertly used to perform cross-device tracking
that allows marketers to tie a single person to the multiple media
devices she uses. The researchers said the beacons could similarly be
used to identify people using the Tor anonymity service.

In summary, an adversary is able to obtain a detailed,
comprehensive user profile by creating an ultrasonic side channel
between the mobile device and an audio sender. Our case study on three
commercial ultrasonic tracking technologies reveals that the outlined
tracking mechanisms are not a theoretical threat, but actively deployed
(e.g. Shopkick and Lisnr) or at least in the process of being deployed
(e.g. SilverPush).

I'm somewhat paranoid about privacy (a blogger with a pseudonym? Who would've guessed?) and this technology creeps me out. I don't want things running on my devices that I don't know about. It even creeps me out when the Weather Channel app puts a little footer on my iPhone that says, "Good morning" and uses my name. My policy on all software is "when I want something out of you, I'll ask you". This stuff brings to mind the increasingly prophetic scene in Minority Report, where Tom Cruise's character is walking into a store and the ads are calling him by name - everything targeted at him. Along with everyone else in the store creating a constant cacophony of ads. I don't like the idea of being watched, listened to or tracked at all,
and I don't particularly like the idea of ads being shoved in my face
all the time.

I really doubt that the people in India who developed SilverPush give a damn about privacy - our least of all. I am still using my old Motorola flip that I got back in 2003 or 2004. I've got zero interest in all of the apps I could be using on an iPhone or Android device, and not only do I have SIRI shut off (I _think_ it is ;-) on my Mac laptop, but I have electrician's tape over the camera and microphone. Call me paranoid, but my concern is - am I paranoid enough?

According to the article on ARS Technica, these apps are not playing nice. They say, "None of them discloses the tracking capabilities in their privacy policies." There are also comments that said you may need to be more preemptive than usual.

People won't know to go after this problem unless they know it's a problem. Hence the post.

In the newer versions of Android, you have to give (or deny) access to phone capabilities for each app - GPS, network, contacts, microphone, camera, etc; if an odd app tries to use the microphone, it'll ask permission and if you are thinking, you may start wondering why it wants it ...

Followers

This Is A Test

Les Paul

People of the Gun

Gun Blog Black List

Stuff I've Been Reading

About Me

Retired radio engineer, follower of Christ, RF designer, mentor. Radio ham, home shop machinist, lapidary, silversmith, roadie cyclist, learning to be a rifleman, and home defender, - a guy with too many interests to keep track of.

Contact Me

Have something you'd like to talk about but don't want to use the comments? You can email me at:

SiGraybeard at gmail dot com.

Commercial links

On occasion, I link to books on Amazon.com or to other commercial sites. I do this as a way of illustrating what I'm referring to, not as revenue generation. I do not obtain any revenue or financial reward for this blog. I have not received samples of anything, nor gifts of any kind. My aim is to make the insights worth more than you pay for them.